You hear it almost every day, in every environment: “things just aren’t built to last like they used to be”. This reflects a complacency in creating a product or service that really isn’t prepared for future scale, often termed the ‘minimum viable product’ or the ‘core product’.
As cyber security challenges consistently evolve, we need to understand that the core of our overall security programme needs to be well planned and understood to ensure it remains fit for purpose. If we build on shaky foundations, not only will they not scale but their failure may well cause irreparable damage. In this blog, Senior Information Security Consultant Simon Discombe is on a mission to extract the key cyber security concepts you need to build a programme that lasts.
The playing field for security is decidedly unbalanced in favour of those trying to attack us. With the threat landscape repeatedly quoted as being ‘sophisticated’ or ‘advancing’, we are seeing more and more AI-based tools entering the market to combat threats, and fewer tools that target existing, underlying flaws that expose us to malicious actors. These flaws can range from a lack of skilled security workers to a poorly constructed approach to managing change and assets. Neither of these can be resolved by simply applying a new technical tool. However, by taking the opportunity to build something that lasts, we can drastically reduce the common security failures that result in the all-too familiar headlines of a company losing control over its data.
Whether your security strategy is already in operation or you are just starting out, setting yourself up for success will bring inevitable value to the business assets we’re seeking to protect.
The question of where to start involves a good amount of consideration to make sure that the security programme is in alignment with your business objectives. What does your organisation see as a critical asset or process that drives revenue?
Assessments of what you are trying to protect, and why, need to be conducted to avoid applying expensive or overly cumbersome solutions that are out of sync with business operations. As a minimum, consider the following:
- Why you want to build a security programme?
- Do you have the authority to begin?
- Can you outline a plan for development (one, two or five year planning)?
- What are the key building blocks needed to deliver security?
Once confirmed that a security programme is the right place to expend effort, the scope of the programme needs to be defined. This ensures that an established security baseline will be implemented and flow through to the introduction of further initiatives. Some key factors relating to the design of your programme often include:
- Pre-existing designs
- A scope of what the programme applies to
- Business-critical processes, services or products and what underpins them
- What the programme intends to achieve
- Available resource and budget
- The importance or key drivers of the programme
- Key people required for onward success
- Creating a roadmap and milestones
- How to measure the programme’s success
Why are strong security fundamentals important?
There are multiple reasons to develop a sound security programme. Some of these reasons are compliance driven, some are requested by stakeholders and others are motivated through a desire to do right by your client base. Knowing why you are embarking on a journey helps understand how you will get there. If you liken a security programme to a road trip, you need to define what your proposed destination is to know what the milestones will be, how long it will take, and how much the journey will cost – the why is how you will foster support.
Authority
While many of the above factors for consideration are vital in planning and building a security programme that will succeed, none are more important than gaining approval from senior leadership. Without authority, and top tier leadership buy-in, all incentives are destined for failure before they start. Expending resources without appropriate authority not only confines initiatives to draft status indefinitely but could also result in disciplinary action.
Planning strategically
After gaining approval, the next important step is to formalise the design that we are proposing to build. This should include input from senior leadership, security assessments and compliance mandates to define a direction of travel for future security strategy.
At this juncture, the aim is to make sure that we are outlining a structure that is flexible enough to adapt to change but strong enough to scale with the business. We do this by creating a bespoke a security programme. A common pitfall is planning security by looking at what others have done; rather than planning for your own future, you could be deploying a flawed plan.
Building blocks
The very foundations of the security programme must be relatively simple in nature. By over-engineering the basis of our security programme, we may never get it off the ground. Starting off with the basics means just that – clearly defined principles, such as those advocated by the NCSC, NIST, CIS and Microsoft are often good security industry resources to reference – but beware of falling down the rabbit hole.
To start, all of the above references remind us that we can’t control something if we don’t know we have it, where it is, or what state it is in, reflecting the essential nature of good Asset Management. Once we know what assets we are trying to protect, we can then assess their exposure through holistic Risk and Threat Management activity that drive supporting Access and Change Controls.
A key point to remember in building is that security is about the physical and personnel domains just as much as the technical aspect, as people will ultimately be delivering the operating environment.
The above steps are quite daunting for some security teams, and even more daunting when being considered by role holders unfamiliar or untrained to deliver such a strategy. If you find yourself wanting to start, but need expert help on your team, experienced Advania consultants are ready to support you in your journey from discovery to implementation.
Bring your own design
Now that we have permission to build, there are a few different ways that we can do so. However, by far the easiest of the possibilities is to return to the question of why we are building. What drivers specify the controls that we need? Certain standards and regulations such as ISO 27001 or PCI DSS may mandate key controls, but tailored security requires knowledgeable personnel within the business to deliver operational security against identified gaps.
Defining what is essential for maintaining a stable structure, who will be supporting it and what will be protected will form the basis of our building plans or ‘High-Level Designs’. By taking an asset-centric approach to security, the design becomes inseparably linked to the business objectives, and that much easier to implement. The controls we then apply to each asset can address a specific need of the business, such as providing formally documented guidance, physically protecting people, property and assets, or applying technology to monitor and respond efficiently to events.
Asset management
In an ideal world, we should know what we have and, therefore, what we have to defend. The reality is that personal storage, shadow IT, and inconsistent ownership often lead to uncontrollable and decentralised asset management. From a technical standpoint, this can be centralised into a platform such as a Managed Device Service that interacts with devices and software, but from a data, physical or personnel asset perspective, security management often falls short of being holistic.
This building block is fundamental to effectively understanding criticalities of the business and appropriately allocating resources where they are required.
Controlling access
Once identified, assets need to be controlled. How strictly they are controlled is a risk-based decision. For example, there would be no sense in restricting access to an asset so much that it becomes unusable, but control that is aligned to the asset’s value to the business should instead be considered. Sometimes the controls we dedicate to known assets can even by chance provide some security for unknown assets, but this is a feature not to be relied upon.
Defining access control means establishing who and what services or applications will be permitted to interact with assets – and importantly what they will be authorised to do with those assets. Again, provided you know what assets you have and where they are, physical assets must be taken into consideration. Not accounting for the physical security of a company server exposes the company to unmanaged risk from theft or destruction in the physical and digital realms.
Identity control
Everyone is an identity, or a subject, and being unique extends from the physical to the virtual. Having a unique identity means access control can be effectively applied to authorised entities. However, things change, people move or leave, and their unique virtual identities must be addressed to maintain access control and underlying asset management.
Role-Based Access Control (RBAC) models are in fact so reliant upon up-to-date and unique Directory Service data that the task of consistent Identity and Access Management (IDAM) becomes undesirable and is often relegated to the back of the administration queue. This creates a very dangerous situation, as bad actors seek out unmanaged identities for valid access attacks.
Change control
While it might not be the most interesting topic, Change Control is as fundamental to security as Access Control. Managing change proactively will not often win any popularity awards but absolutely will protect business value from some unexpected disruptions. Just as unmanaged change in your vehicle can be costly to you, so unmanaged change in a Microsoft tenant can be costly to business operations and productivity.
One of the biggest blockers to effective change is poor communication. If staff, the lifeblood of any organisation, are resistant to your proposed changes and the change process, don’t expect a miracle overnight. Clearly articulating why you are making a change, and involving key stakeholders who will be impacted by the change, will deliver more buy-in than forcing a new security programme onto people.
Delivering value with your cyber security programme
Businesses are not in operation to deliver security (unless you’re a Managed Security Services Provider, of course) but security is part of delivering business value. Although security does not often deliver value from day one, it accumulates value over time by addressing administrative burden, disrupting data loss channels, and securing valued assets, which reduces risk exposure and costly breaches.
Once fundamental aspects of security are built into your business, you should constantly be reviewing them to make sure they are measured for suitability. If your controls are not serving you, then their value should be measured. If found to be under delivering, they should be updated or removed to avoid causing further issues.
Consistent measuring of your security programme is essential to ensure that it is serving the business and its objectives. This analysis can often lead to identifying further gaps, or new security issues that should be considered in future implementation efforts.
Comparable to a castle defence, protections should be layered to provide a complimentary series of controls that can effectively deter, detect, deny and delay unauthorised activity.
Talk with our experts today to find out how we can help in assessing your programme’s effectiveness in defending against emerging threats. From strategic governance to technical implementation, our experts are ready to support you on your journey.
